back to article UK.gov wants mobile makers to declare death dates for their new devices from launch

Phone, tablet, and IoT gadget makers will have to state when they'll stop providing security updates for new devices entering the market, the UK's Department for Culture, Media and Sport (DCMS) vowed this morning. Today's pledge would see existing plans for internet-connected tat extended to smartphones and tablets, which is a …

  1. Brian Miller

    Force open source instead

    Instead of publishing a death date, force the manufacturer to publish the OS as open source, so we don't have to toss a good device into the landfill.

    Yeah, I know, that isn't so popular with the manufacturers, either.

    1. Dwarf

      Re: Force open source instead

      @Brian Miller,

      I came here to say the same.

      If the vendors won't support it, make it free so that we can support it ourselves, or refund the price we paid for it, or give us a free upgrade to the next product that you will support.

      We have to get out of the 2 years then land fill approach with technology.

    2. Anonymous Coward
      Anonymous Coward

      Re: Force open source instead

      Better yet, just allow folks to flash whatever the hell they like to their phones and have the warranty cover only the hardware regardless of software.

      While they're at it, if they can make the flash chips socketed, that'd be great. I don't care if the socket makes the phone thicker...fill the extra space with more battery.

      1. Anonymous Coward
        Anonymous Coward

        Re: Force open source instead

        The phones that are the hardest to flash are iPhones, but they're already supported for >5 years. The 5 yo 6S is on the latest iOS (probably dropping off the list for the next one), but even older iPhones are still getting security updates. ISTR my 4S or 5S (backup phones used as loaners to family and friends) got a security update last year - and both got new batteries a couple years ago (£20 each, fitted).

        Perhaps it's a choice between buying one that's easier to hack/flash or one that gets longer support.

        1. Anonymous Coward
          Anonymous Coward

          Re: Force open source instead

          Ill take the former over the latter please.

        2. Anonymous Coward
          Anonymous Coward

          Re: Force open source instead

          Yeah iPhones are technically supported for longer but arbitrary bit rot makes them gradually less usable over time.

          Benchmark your iPhone when it's new then benchmark it after every major update. You'll see what I mean.

          Apple isn't a white knight here.

    3. Wolfclaw

      Re: Force open source instead

      Once a product stops being supported, last update should unlock any protection that stops 3rd party OS's being installed, many a good phone or tablet has plenty of life left in them.

      1. Charles 9 Silver badge

        Re: Force open source instead

        I thought one of the biggest stumbling blocks to third-party OS support is that the manufacturers can't assure that level of support because the chips to them are black boxes with only binary blobs given to them by the chip makers.

        1. doublelayer Silver badge

          Re: Force open source instead

          Not really. Sometimes that's a problem, but most of the time, the stumbling block to third-party support is that the manufacturer has locked down all the things that you need. Custom versions of Android can run on phones with most kinds of SOCs. Certain ones are harder, for example because Mediatek doesn't release information about some of their chips, but the developers can get around some of that. Manufacturers have even less excuse, because they have access to documentation that we don't. They could update things but choose not to. Third-party developers can too as long as they have access.

        2. Anonymous Coward
          Anonymous Coward

          Re: Force open source instead

          Yes this crops up a lot with Broadcom tech.

        3. S4qFBxkFFg

          Re: Force open source instead

          Then, there needs to be a way of transferring the legal liability up the supply chain and impose the same obligations on the chip maker.

      2. big_D Silver badge

        Re: Force open source instead

        I agree, but somebody, somewhere still needs to provide explicit support for that device... You still need someone to provide drivers for the specific components and ARM isn't ARM, so simply re-compiling might not be enough in all circumstances - and you will need to possibly include specific workaround s for specific chipsets, because they have hardware vulnerabilities.

        It is possible, but it is also a lot of work, especially if the market is suddenly flooded with thousands of different models, all of which need some tailoring.

        It would require a very active community of developers, more than the current projects currently can provide. They often have problems now getting updates out for all the supported platforms in a timely manner. Throw in another thousand variants and they will be swamped.

      3. gnasher729 Silver badge

        Re: Force open source instead

        "Once a product stops being supported, last update should unlock any protection that stops 3rd party OS's being installed, many a good phone or tablet has plenty of life left in them."

        So when my phone isn't supported anymore, the manufacturer issues a kill switch that opens my phone up to attacks from any hackers, basically forcing me to stop using it? Think about what you're asking for. "Stops being supported" doesn't mean "stops working".

        1. Jimmy2Cows Silver badge

          Re: "Stops being supported" doesn't mean "stops working".

          That's not what's being suggested. Simply there's a danger that unsupported devices could become progressively less secure as new exploits are found for unpatched versions.

          Sure the devices will still work, but that really isn't the point. Open-sourcing the code for unsupported products would allow developer communities the option to continue supporting a product after the manufacturer has dropped it.

          The flip side is open-sourcing the code increases the chance of finding new exploits, and substituting legitimate binaries with malware disguised as an open-source update. So it's a double-edged sword.

        2. heyrick Silver badge

          Re: Force open source instead

          "the manufacturer issues a kill switch that opens my phone up to attacks from any hackers"

          That's pretty much the case already as all it takes is one vulnerability to be discovered, and you knowing that the manufacturer will not be providing updates and patches, it leaves only one course of action...

      4. Anonymous Coward
        Anonymous Coward

        Re: Force open source instead

        Should be unlocked from the get go, that way we can have better competition between software distributions and increased software quality.

        We could even reach a point where hardware manufacturers no longer need to waste money on producing software and thus bring the price of the phones down.

    4. big_D Silver badge

      Re: Force open source instead

      Somebody still needs to maintain the open source software for all those devices - and on mobile, each chipset is different, so you can't just use a single image, like you can with x86/x64 software. It has to be tailored to the hardware.

      That means, once end-of-life from the manufacturer is reached, somebody, somewhere needs to actively continue support. OSS makes that theoretically possible, but you still need the developer resources to backport it to hundreds of different types of device and test it.

      Being open source would help, but saying "it has to be open source", without ensuring the developers are there in the background won't help. An abandoned OSS project isn't any more secure than an abandoned close source system.

      Android is, essentially, open source, just the Googly bits on top (that actually make it usable for most people) aren't. But you still need someone to backport the newest fixes to older versions / hardware - going to a newer version might not be possible, because it requires more enhanced hardware than that found on older devices E.g. a move from 32-bit to 64-bit would stop newer versions being used on older, 32-bit only, hardware.

      1. MacroRodent

        Re: Force open source instead

        > An abandoned OSS project isn't any more secure than an abandoned close source system.

        True, but with open source there at least is a non-zero possibility that some people will keep the device useful, instead of being destined for the landfill. This is more likely to happen with devices that are popular. As others have noted, the information (keys and such) for uploading a new version to the device must also be made available, source alone is not enough.

        1. veti Silver badge

          Re: Force open source instead

          "A non-zero possibility" is a pretty thin basis on which to build the regulation of a mass market industry.

          Open source would benefit some miniscule minority of users, which is nice for them, but statistically insignificant when it comes to either reducing waste or pressuring market players to perform better.

          1. ThatOne Silver badge
            Stop

            Re: Force open source instead

            Indeed. Guys, you've missed the big picture (once again). Nobody cares what a vanishing minority of geeks can and will do, the vast majority of people won't go re-flash their old phones, even if they knew they have this option. If you don't believe me, try explaining the procedure to some elderly relative. Heck, anything more complicated than a "Click here to update" button would be too complicated.

            Besides, it would be a hacker's wet dream: Millions of clueless users installing something they stumbled upon somewhere on Internet, following the advice of some stranger on Facebook or some unsolicited e-mail...

            I don't say manufacturers shouldn't do it, I'm just saying it's not really a solution to the problem. And I'm afraid there isn't any, the very notion of cheap-as-dirt, fire-and-forget tat negates any possibility of follow-up work. The only thing the manufacturers can (and will) do, is brazenly lying about the support period...

            1. MacroRodent

              Re: Force open source instead

              Your elderly relative would probably not repair his/her car engine either, but would let a professional do it.

              Same thing with re-flashing the old phone. The existence of open-source updates would enable commercial maintenance business. This how opening the software could reduce e-waste.

              I'm pretty sure the existing mobile phone repair shops that now do things like replacing broken displays could easily expand into installing aftermarket software updates.

              1. Anonymous Coward
                Anonymous Coward

                Re: Force open source instead

                "Same thing with re-flashing the old phone. The existence of open-source updates would enable commercial maintenance business. This how opening the software could reduce e-waste."

                Also opens you up to lots of fraud. And to extend the analogy, how many here get those "your car's extended warranty" pitches in the mail and on the phone all the time?

                1. MacroRodent

                  Re: Force open source instead

                  I don't see why there would be any more fraud in this than in any other existing technical service businesses. Alo, unlike with online fraud, if caught, the shady mobile repair shop owner is easy to find, and bring to the table with no bread on it, as we say round here.

                  1. Anonymous Coward
                    Anonymous Coward

                    Re: Force open source instead

                    Mobiles are small and easy to transport, unlike say a car engine (or a car without one). This makes it easier to do a fly-by-night.

                    Garages tend to be local landmarks. Cell phone repair (at least in my area) tend to pop in and out on a monthly basis.

                    1. MacroRodent

                      Re: Force open source instead

                      Well, in my are (Helsinki) they tend to stay put for years. Not local landmarks, but not particularly ephemeral either.

                      Not that the disappearance of a shady mobile repair shop would matter much for law-enforcement point of view. They guy could still be tracked down.

                      1. Anonymous Coward
                        Anonymous Coward

                        Re: Force open source instead

                        "Not that the disappearance of a shady mobile repair shop would matter much for law-enforcement point of view. They guy could still be tracked down."

                        How when they know they're coming and are prepared for it? I'd like to see how often that actually happens, because where I sit, it's rare enough that the few times they get caught (usually by doing something stupid, Darwin in action again) they make the news.

                        1. MacroRodent

                          Re: Force open source instead

                          I guess we live in fundamentaly different societies, then,

      2. Anonymous Coward
        Anonymous Coward

        Re: Force open source instead

        You just described Linux on which Android is based.

    5. gnasher729 Silver badge

      Re: Force open source instead

      "Instead of publishing a death date, force the manufacturer to publish the OS as open source, so we don't have to toss a good device into the landfill"

      There are two things I don't understand. The first is, how would you justify the government stealing a manufacturer's OS code? The second is, how would having an open source OS stop a good device from being tossed into the landfill?

      Wouldn't recycling and making long living devices be much better?

      1. Jimmy2Cows Silver badge

        Re: Force open source instead

        On your first point, it's not really the government stealing anything. If the product is obsolete and unsupported, it's possible the code is too.

        That's a naive viewpoint, though, and deliberately glosses over an obvious flaw in such a plan.

        Parts of the code may be obsolete, but larger chunks are probably still very much in use. If the code is proprietary, any attempts to legislate such an approach would get fierce pushback from manufacturers in all industries, and raise serious questions about deepening government interference beyond their elected remit.

        A product being obsolete doesn't mean the IP behind it is obsolete.

        I do feel that governments threatening to legislate open sourcing the code for obsolete products could entice / coerce manufacturers into making longer-supported, longer-lived products, and that's better for everyone.

        Prices might go up though, but manufacturers would need to be careful to not price themselves out of the market.

        Your second point is valid. Open sourcing something wouldn't be any use to 99.999% of users.

    6. sabroni Silver badge

      Re: I know, that isn't so popular with the manufacturers, either.

      I don't want another device to manage, thanks. That's work.

      A consumer device should be a consumer device. If an "EOL" date becomes a common thing then manufacturers will have to compete on providing the longest lived devices.

    7. Anonymous Coward
      Anonymous Coward

      Re: Force open source instead

      this is noble (no sarcasm intended!) but totally unrealistic, because the mobiles have become, to quite some extent, portable vaults with id-related and bank-related apps. There is a reason why banking apps refuse to run on rooted handsets. If bootloader is 'locked', there's a chance it would be hacked with malicious admin account run in the background, but that chance is (relatively) very low, when the bootloader is locked and code locked away with this or that handset manufacturer. Sure, they do get compromised, but no such major leaks have been reported, which looks to me like this resource is - for now at least - relatively secure. Likewise, the govs that want to put various digital ids and vaccination apps on people's mobiles, will follow banks' example and will not allow their apps to be run on 'compromised' systems. So, in essence, open source is a great idea (and I wish I could un-fuck my mobile and take relatively full control) - but it will not work, it will not even be considered. Not with human kind, not the way it thinks, reacts, behaves.

    8. Rich 2

      Re: Force open source instead

      Just because a manufacture EOL’s a particular device, it doesn’t mean that the code is not reused for later devices, so it’s a non-starter to expect them to open source it.

      In addition, some of the code may not be theirs to open source - a manufacturer probably buys-in an OS (and possibly add-ons to that OS)

    9. ComputerSays_noAbsolutelyNo Silver badge

      Re: Force open source instead

      At least force them to provide either

      * the full specs and open source any firmware/software and underlying services

      * a working non-smart use-mode

      E.g. the refrigeration of a "smart" fridge typically outlasts the bolted-on infotainment and/or stock management. Thus, if the fridge's OS is end-of-life, I want to shut the "smart" stuff off, and run the fridge as a mere fridge. We don't need any more e-waste, especially when it comes to devices containing refridgerants that are by orders of magnitude more potent greenhouse gases.

      1. Jimmy2Cows Silver badge

        Re: Force open source instead

        * the full specs and open source any firmware/software and underlying services

        This is a minefield, as much of the underlying hardware and software, services etc. are proprietary and still in use, even if a product itself is EOL.

        * a working non-smart use-mode

        This should absolutely be a minimum, legally enforced obligation for anything "smart". Revert-to-dumb mode should be an option right out of the box, and none of the core functionality of the product should be lost in doing so e.g. a fridge still functions as a fridge, a TV still functions as a TV etc.

    10. adam 40 Silver badge

      Signed images

      As pointed out already, a lot of UE's use open source already. Even iPhones!

      However they don't allow the end user to load an image on, unless it has been digitally signed.

      Therein lies the problem.

  2. jdiebdhidbsusbvwbsidnsoskebid Bronze badge

    Just security, or functionality as well?

    Would be good if this extends to functional updates as well as security ones.

    Annoyingly, I've had to replace phones in the past not because they've worn out or broken, but because the lack of OS updates means apps and things stop working.

    1. Chris G Silver badge

      Re: Just security, or functionality as well?

      It would be nice if end of support or at least minimum support periods were published for all paid for apps, programs and services.

      Nowadays the process for bringing out new improved anything has little to do with progress and everything to do with marketing and driving new sales.

      Consumers are no longer customers, they are merely a resource to be tapped when a product is superceded by a new one.

    2. big_D Silver badge

      Re: Just security, or functionality as well?

      At the end of the day, functionality updates are nice to have, but security updates are critical to the use of the device.

      I can still use the device with an old UI that is missing some features that newer devices have, but if it is vulnerable to known security flaws, I'd be a fool to carry on using it.

      It would be nice to have them, and they should be provided for the first few years, but I can see it like extended support on Windows (pre 10), for example, where you get feature updates for the first few years, then it goes into extended support, where only security fixes are sent out.

      They have to fund those new features somehow, the only way, currently, is through the sale of new hardware. If you paid for the OS on a subscription basis, that would be another matter entirely, or you would have to pay significantly more for the devices to cover feature updates over a longer period of time.

      I suspect very few would be willing to pay for that.

  3. Anonymous Coward
    Anonymous Coward

    Even better, ban the sale of devices without a guaranteed minimum of 5 years' worth of security updates.

    1. karlkarl Silver badge

      Weirdly I actually wouldn't buy a gadget if it only offered 5 years. I also think if people saw a defined "death date" it would reduce the likelyhood of an impulse buy.

      Might just be me and the fact that I expect better for my money. I write shite to last more than 5 years, why should I not expect the same?

      1. big_D Silver badge

        The "death date" should be prominently displayed on the packaging as well, not hidden in the T&Cs inside the packaging or in small print on the back of the box.

        1. Graham 32

          Best before and use by dates on food are clearly shown. Copy-paste that legislation. Done.

        2. Anonymous Coward
          Anonymous Coward

          re. The "death date" should be prominently displayed on the packaging as well

          you bet. It will happen. Not.

          1. heyrick Silver badge

            Re: re. The "death date" should be prominently displayed on the packaging as well

            And if it does happen, they'll use Japanese eras and Chinese numerals and anything else to technically comply by reporting the expiration, but in a way that makes it damn near impossible for people to figure out what it actually means.

      2. Richard Jones 1

        I suspect that is part of the issue being targetted. No one should want a phone that is only good for the next X months use. Why should they?

        That said, my semi mobile, (it is useless for home use) is out of updates since a year or two back. I put nothing of value on the semi brick. Banking on a postage stamp screen is for the birds, not me; I want to sit at a desk to deal with such work.

    2. Mike 137 Silver badge

      Even better still?

      Maybe the best situation would be to deliver devices that aren't riddled with bugs in the first place. It would be lovely if all this kit didn't need "support" to stop it falling over. If it was your house or a road bridge, you'd never put up with constant "updates".

      1. veti Silver badge

        Re: Even better still?

        Brilliant. Write software without bugs. Why hasn't anyone thought of that before?

    3. katrinab Silver badge
      Megaphone

      Sale of Goods Act says 6 years for other things, so I would go with that.

      1. Anonymous Coward
        Anonymous Coward

        The Sale of goods act has been superseded.

        1. claimed
          Headmaster

          Well, ha ha, an interesting point...

          SOGA is superceded by the Consumer Rights Act 2015... which applies to goods bought after October 2015...

          So SOGA is still valid for katrinab's 6 years, for another 6 months. Though I had thought it was 7 years.

      2. AndrueC Silver badge
        Meh

        That act has been superseded. Anyway it (and the modern SOGA legislation) do not mean that goods have to last 6 years. It only means that the consumer has up to six years in which to take the matter to court. In effect it is just a 'statute of limitations'.

      3. gnasher729 Silver badge

        Sale of Goods Act says that after 6 years in the UK all your rights against the seller (you have no rights against the manufacturer anyway) disappear, and you're on your own, even if it is the seller's fault. It's the limit. The time when the seller can say "I don't know you, go away".

        That doesn't mean you have many rights after say two years. For example no rights to have defects fixed even after two years for many items. What the six years mean for example that if your phone breaks down after 23 months on a two year trip to Australia (within the two years), you can go to a store there, have them write down what is wrong and when, and two years later back in the UK they have to fix it.

  4. Tron

    Best before dates.

    They could simply decide not to sell in the UK. One isolated market with its own rules. Not worth the risk of large fines. Much like the companies that stopped selling to the UK due to the new VAT rules.

    1. Boris the Cockroach Silver badge

      Re: Best before dates.

      Thats a good idea... but runs into a very technical problem.

      You dont sell your kit here means that that leaves the market open for someone else to.

      And if theres one thing that the mega corps really hate its losing money that could be stuffed in their tax haven instead of ending up in their competitor's tax haven.

    2. big_D Silver badge

      Re: Best before dates.

      France has something similar, Germany is planning this as well and France has also forced an "repairability" index on device manufacturers, spare parts for a minimum of 5 years etc.

  5. Ken Rennoldson

    Just a mo but 'Gov-backed consumer org Which?' is a tad wrong isn't it? Thought they were independent.

    1. fwthinks

      Correction?

      Is someone trying to have a dig at Which? or just slack work?

      From their own site - they claim to be completely independent - https://www.which.co.uk/about-which/who-we-are

    2. Blazde

      Maybe referring to their status as a 'Body Designated to make Super-complaints' which presumably the current Secretary of State for Business backs or else he could remove their status: https://www.legislation.gov.uk/uksi/2009/2079/made

    3. Anonymous Coward
      Anonymous Coward

      re. 'Gov-backed consumer org Which?'

      gov-backed = tax-backed= your-money-backed.

  6. Anonymous Coward
    Anonymous Coward

    Default Passwords

    Umm, so we go from tossing it into landfill because it has no security updates, to tossing it into the landfill because the password has been lost or forgotten and no-one knows how to get into it? Any usable solutions to that problem?

    1. Charles 9 Silver badge

      Re: Default Passwords

      Two ways:

      1. On first startup or factory reset, don't allow anything to run until someone logs in and sets a password.

      2. Set a default but random password that's used on first startup or factory reset, only put this password on a sticker set on the device itself.

      Both techniques can be combined.

      1. big_D Silver badge

        Re: Default Passwords

        This is already a legal requirement in some places, I think California, for example.

        QNAP changed their QOS recently to use the MAC address of their NAS devices as the default password. Forgot the password? Simply use ping it and use "arp -a" to lookup the password...

        OK, you must change the password on first logon after installation / factory reset and, hopefully, the device is only available in a controlled network and the operator changes the password within a couple of minutes of turning the device on...

    2. doublelayer Silver badge

      Re: Default Passwords

      The law shouldn't ban publishing the default passwords. It should ban having a default password. Out of the box, it has no password. When someone wants to use it, they have to set the password. If they forget the password, they use the physical reset and it loads the factory firmware, allowing the user to set the password and reconfigure.

      Now for things given to less technical people, this can be annoying. I know for a fact that my family does not know the passwords to their internet equipment because I set it up. However, they need to balance the risk of annoyance for people who have to set a device up from scratch versus the security nightmare of having lots of things with default passwords. If the default password is "password", "admin", or the product name, not publishing that is not going to stop people figuring it out.

      1. Stripes the Dalmatian

        Re: Default Passwords

        Why not just make the IMEI number the default password? They'd all be unique and nobody would stick to the default.

        1. big_D Silver badge

          Re: Default Passwords

          Nobody? I suspect a large number of people would leave it as the default, if they weren't forced to change it during the set-up process.

          1. Pete B

            Re: Default Passwords

            It'd probably still be more secure left at that default than changed to name of dog/child etc.

      2. teebie

        Re: Default Passwords

        I did think that "publishing" was the wrong verb for that sentence.

        They should be banned from having a default password across a class of devices.

    3. Anonymous Coward
      Anonymous Coward

      Re: Default Passwords

      Recently had someone ask me about a locked iPad. Girlfriend lock it, they split up and she said he could keep it. She's headed back home to the US and doesn't want anything to do with my mate. Apple refused to unlock the device with the owner's express consent. Second person I've told that if Apple won't unlock it then it's screwed.

      So a £500 device is about consigned to the local council's e-waste dump skip, meanwhile kids in schools can't get enough IT kit and the planet is choking.

      I'm not Apple bashing, I love some of their kit but I would never own one of their mobile devices due to this practice of not wiping and allowing recycling of locked devices simply 'cos they don't want to get sued.

      1. John Robson Silver badge

        Re: Default Passwords

        "I'm not Apple bashing, I love some of their kit but I would never own one of their mobile devices due to this practice of not wiping and allowing recycling of locked devices simply 'cos they don't want to get sued."

        Erm - isn't this (purportedly) to stop the reuse of stolen devices...

        If a stolen device can't be reset and used then it's of no value to the thief.

        1. doublelayer Silver badge

          Re: Default Passwords

          This is exactly correct. It's a deliberate antitheft measure. Sure, it can be annoying if you don't know the details to unlock something, but I think most nontechnical and some technical people would prefer the +-

          protection against theft given that someone with the proper details can erase and reuse the device. Android with Google's services does the same thing.

  7. Claptrap314 Silver badge

    For most of this stuff

    If you define the "death date" as the last date that updates are guaranteed, that would be DOA.

  8. alain williams Silver badge

    The date to be printed on the box ....

    web side touting it (including retailers' & second hand sale web sites) all in a nice big point size.

  9. Claptrap314 Silver badge

    A bit of sympathy for the Devil here.

    Most LTS releases for Linux distributions limit to 5 years--from the original release. The next LTS typically comes out two years later. Which means that LTS means "four years on average, but maybe three".

    That's not so bad for a lot of environments, but it laughable when talking about consumer devices.

    The first problem is that you probably need at least six months to get a design out the door. So now, you're talking 2 1/2 years from FIRST hitting the shelves to EOL. If that device stays on the shelf for two years? You have six months left.

    Now, you can probably recover a quarter by timing your release. Probably.

    The solution of course is for the manufacturers to assume the responsibility of becoming distribution maintainers.

    Oops.

    --

    Internet-connected consumer devices represent a hard problem even for some company that was trying hard to do the right thing. As I mentioned for one prominent manufacturer, the solution is to have an easily-replaced module with all the internet stuff on it that can be replaced every three-four years for a modest fee. But that's only an option for things like TVs & stereos. Smaller & cheaper devices will not be able to bear the marginal costs and remain competitive.

    1. BinkyTheMagicPaperclip

      Re: A bit of sympathy for the Devil here.

      Oh dear, how sad, never mind. What's for tea?

      This is for security updates. Not for OS updates.

      If it means that it means there's fewer cheap devices as manufacturers now have to get assertions from the chip producers to support for several years, and less landfill, then fair enough.

      The security and environmental cost has to be met some time.

      1. Claptrap314 Silver badge

        Re: A bit of sympathy for the Devil here.

        Last I checked, security updates are part of the OS updates.

        Even if you somehow isolated just the security updates, those war what terminate after 5 years.

    2. alain williams Silver badge

      Re: A bit of sympathy for the Devil here.

      Most LTS releases for Linux distributions limit to 5 years--from the original release.

      But that is not a problem since it is not very hard for the user/owner to upgrade your laptop/... to the next LTS release. The problem is things that cannot be upgraded at all once the vendor has lost interest.

      1. Stripes the Dalmatian

        Re: A bit of sympathy for the Devil here.

        Perhaps more Linux phones and fewer Android phones would make the world a better place?

        1. big_D Silver badge

          Re: A bit of sympathy for the Devil here.

          Android is Linux based (and iOS is BSD UNIX based). But it still needs the manufacturers support and support from the chip manufacturer as well to keep the updates coming.

          Linux on ARM isn't the same as Linux on x86/x64.

      2. Claptrap314 Silver badge

        Re: A bit of sympathy for the Devil here.

        Okay. Explain to me please how to upgrade the OS on my "smart" TV. Or a Sonos system.

  10. BinkyTheMagicPaperclip

    Finally!

    I've mentioned this numerous times and generally people don't care because of mobile contracts and upgrades. Initiatives which stop a ridiculous amount of landfill and increase security have to be a good idea.

    It wouldn't be accepted if your three year old computer had to be thrown away.

    It might also mean that mobile phone companies start concentrating on their software. Too many are largely hardware focused then slap on a barely touched Android as an after thought.

    1. hayzoos

      Re: Finally!

      I wish my smartphone had a barely touched Android. My last two phones were emergency replacements for the previous ones wearing out after 5+ years of use. Both had copious amounts of touch to Android by not only the manufacturer, but also the carrier. I have used extensive measures to get back to generic Android as closely as I can without breaking thinks. I have tried the custom ROM route also. It's my phone not your spy tool or ongoing revenue generator. I use a smartphone for a handful of particular apps I use for my revenue generation.

      1. BinkyTheMagicPaperclip

        Re: Finally!

        To be specific, I do of course mean useful customisation. I'm a big fan of keyboard phones, but other than Blackberry's offerings, the boutique offerings simply do not match up with Blackberry's bundled software and suffer for it, even if the hardware mostly worked.

        Ensuring compatibility, bundling or developing third party apps if the standard one is weak (such as the default camera app).

      2. big_D Silver badge

        Re: Finally!

        I haven't bought a carrier branded phone for nearly 2 decades. I always get carrier-free phones, whether that be a high end smartphone or an entry level smartphone from Wicko, Nokia or Samsung etc.

    2. big_D Silver badge
      Facepalm

      Re: Finally!

      Most of my family keep their Android phones for between 5 and 8 years. My brother-in-law swapped out his Samsung Galaxy S4 Mini last year, for example...

      I cringed every time I saw him using it!

    3. Eclectic Man Silver badge

      Re: Finally!

      BinkyTheMagicPaperclip: "It wouldn't be accepted if your three year old computer had to be thrown away."

      Indeed, my father got his current PC some time ago, it runs Windows XP, I believe, is connect to the mains power supply and the printer and still works. Of course he has to store stuff on 'floppy disks'. But not only is it air gapped from the Internet but no thief could possibly want to steal computer with such a low resolution CRT display. (He is 93, and when he got it did not see the point in any long term investments in equipment as he wasn't expecting to be around for very much longer. He still walks to the shops every day.)

  11. Ken Moorhouse Silver badge

    declare death dates for their new devices

    There is no need to do this.

    Upon manufacture, arguably many IoT products immediately fall under the WEEE directive.

  12. Lucy in the Sky (with Diamonds)

    Death Date

    They should put certified Death Date stickers on people at birth, so that they can plan their lifes better. Sort of a no-surprises policy. My car is about to turn 32, yet the manufacturer still sells me all the parts I need. I use electronic kit every day that dates back to 1990, and mechanical things that were made in the 1920s. Fair enough, they have no internet connection and software, but that is the exact reason I like using stuff that have none of those things, they just work forever.

    1. BinkyTheMagicPaperclip

      Re: Death Date

      Probably worth watching The Brand New Testament, or reading the Machine of Death collection to see the downside of that.

  13. Anonymous Coward
    Anonymous Coward

    Missing the Point.....

    Large Corporations shipping IoT devices and matching smartphone apps do not give a flying f**k about security. In fact they are actively working to defeat any sensible definition of "security".

    *

    What they are concerned about is transforming the revenue for a (one time) purchase of a device....

    ....into a (continuing) stream of valuable marketing data.....and the resulting continuing stream of cash from data sales.

    Oh.....and don't forget that poor IoT security doesn't just provide this benefit from the IoT device itself. The IoT device will be a backdoor into the customer's LAN.

    And the matching smartphone app will be a backdoor into everything on the customer's smartphone.

    Remind me again why Large Corporations should care at all about IoT security!! Does the phrase "smoke screen" ring a bell?

  14. spireite Silver badge

    It's only working for how long?

    This would have the effect of changing some peoples purchasing plans.

    What constitutes a death date? Anticipated last pushed OS update?

    Let us be honest here... how many grannies will be demonstrably checking for an update manually?

    Heck, I know some that have been so conditioned to click 'No' to any pop-up for fear it's a hack attempt, that they click no to upgrade prompts.

    Couple that with switching their devices off when they don't need it, such as 10pm to 10am, then they auto 'update and apply' never gets a look-in

    So, what does it really achieve?

    I'm all for open-sourcing the OS's, but it will never happen, and the likes of 'LineageOS will never be mainstream outside of our geek (like myself)

  15. Anonymous Coward
    Anonymous Coward

    yet a great number still run older software with holes in their security systems

    BECAUSE. THE F****** C****S THAT. CALL. THEMSELVES. MANUFACTURERS. PREFER. TO SELL. NEW. JUNK. (AKA PROFIT! MORE PROFIT! MORE! MORE! PROFIT!!!!) than to spend a dime (or a penny) on patching 'old' (aka usually past 2 years 'old') devices. So, unless you FORCE them to provide minimum patch support for a minimum of 5 years (or similar, but hell, not in the broadband fashion of 'up to 5 years', because it will be abused), they will continue doing what they're doing. Such gov 'interventions' are just to demonstrate that 'the gov' cares about the plebs. Fuck no, it cares that people spend MORE (growth!) and buy MORE (growth!) because 'growth is gooood!!!!' (to paraphrase 'The Wall Street'). But in my mind, that growth coincides with Coyote from the roadrunner, usually running out of solid ground underneath... with a stupid grin on the snout when gravity FINALLY catches up.

    1. Loyal Commenter

      Re: yet a great number still run older software with holes in their security systems

      not in the broadband fashion of 'up to 5 years'

      Don't even get me started on that particular egregious abuse of the English language for the purposes of marketing. Suffice it to point out that "up to" means any number less than, including zero.

      So, "removes up to 100% of flakes" means "may do nothing", "up to 1GBPS" means "may have a transmission rate of zero", "up to 80% of correspondents loved it" means "everyone might have hated it", and so on.

  16. Loyal Commenter

    Poor Marketroids

    The plans are likely to meet stiff opposition from device makers as end-of-life dates for devices are usually an open secret among the tech-savvy but stating them at the launch of a brand new bit of hardware is unlikely to be popular with manufacturers' marketing teams.

    Somehow I'm failing to muster any sympathy for a group of people whose job involves being as wilfully misleading as humanly possible being forced to explore the concept of honesty.

  17. Eclectic Man Silver badge

    Guarantees?

    Apologies if any of the preceding 60+ comments have already stated this.

    Surely what the government really wants is a guarantee from the manufacturers that they will fully support a device and the attendant software at least to a specified date. Whether the manufacturers wishes to continue support after that date could be left to them. This, of course, puts pressure on the 'designed obsolescence' strategy to make sure that people have to replace their devices every so often in order for them to work with the latest technology when the older technology is 'phased out'.

    The problem the manufacturers have is that if a product flops or fails to sell well enough, they would be legally obliged to support it for some considerable length of time at their cost. Customers would know when a new product was going to be announced because a successful product would be nearing its mandated end of life, so would hold off buying the latest version of fondleslablet* knowing that a new release would basically have to be around by a certain date.

    Superficially it all sounds well and good, but when yo get into the marketing and company product strategy details I suspect that it is not so simple.

    *Personally I am holding out for the iPhone 37XXXVWE, which at the current rate of new features being added I confidently expect to be able to rescue my soul from the lower circles of Hell, should the need arise.

    1. Jimmy2Cows Silver badge

      Re: the problem the manufacturers have is that if a product flops or fails to sell well

      The problem the manufacturers have is that if a product flops or fails to sell well enough, they would be legally obliged to support it for some considerable length of time at their cost.

      I don't see this as a problem.

      If, rather than just throwing a bunch of shit at the wall and hoping some of it sticks, this forces manufacturers to actually think about their products, how they will support them long term, and take the time to make them worthwhile purchases, IMO that can only be a good thing.

      1. Eclectic Man Silver badge

        Re: the problem the manufacturers have is that if a product flops or fails to sell well

        @ Jimmy2Crows "I don't see this as a problem."

        It might not be a problem for you, and I am quite keen for reliable products too, but I suspect it will be problematic for the companies and their bean-counters. They will be less inclined to take risks with innovative products. But anyway we'll see if anything comes of this.

    2. doublelayer Silver badge

      Re: Guarantees?

      "Customers would know when a new product was going to be announced because a successful product would be nearing its mandated end of life, so would hold off buying the latest version of fondleslablet* knowing that a new release would basically have to be around by a certain date."

      I don't think that's a problem. If the guaranteed support lifespan was five years, that's already much longer than the typical cycle. IPhones are good examples of this--they already have about 5-7 years of support, yet they make a new one every year. People tend to buy new ones for the features or because their previous one broke. Most people either buy one when they decide it's good enough or keep their old one until it doesn't work anymore. They do tend to wait until October to see whether the new one is interesting, but they won't wait the full five if they're considering a purchase already.

      1. Ken Moorhouse Silver badge

        Re: Customers would know when a new product was going to be announced

        Foir the average man in the street I think another common occurrence is for the service provider to start badgering customers when their contract is due to expire. "Get a new phone for nothing and reduce your monthly outlay" is the ploy, but what is not so well advertised is that a new contract for x year(s) is being signed.

  18. AlgernonFlowers4

    Mobile Intergalactic Liberation Front!

    Siliconia is going to be a cold lonely places if mobiles are stopped from going to landfill.

    Won't no-one think of the Mobile Intergalactic Liberation Front?

    1. Jimmy2Cows Silver badge
      Angel

      Re: Mobile Intergalactic Liberation Front!

      But, where do all the calculators go?

  19. Anonymous Coward
    Anonymous Coward

    This is probably naieve, but..

    I'd prefer to be able to buy a phone as just hardware onto which I could install whatever phone software I wish/can afford. My preference would be a form of Linux designed for phones, but that's just me. I'd love to be able to have a phone that did just the following: text, email, voice, ad if it has a camera built in, take pics too. I dont want answerphone, or the internet , ta very. And I want a proper physical button keyboard.

    OK, so that's just me, but others could choose just the services they want too, and many/most would no doubt want the full-fat internetty stuff too - great, they can just install the stuff they want, If hardware makers were just hardware makers, then folk could choose to go with the latest and greatest, or the most reliable/logest lasting as they see fit. And if the phone OS's were created by companes that were not the same as the companies that provide the hardware then again, users could have choice.

    Before anyone makes the point about installing an OS not being most peoples cup of tea, if there was a a lockable slot such that a storage device could be easily inserted and removed from which the device would boot, then OS makers could simply sell their wares on suitable storage devices, so it'd be a case of choose which hardware you like, choose the OS, insert the later into the former, charge up and you;re good to go.

    As for security in that scenario, perhaps I'm missing something (probably - you lot know far more than I do about relevant matters!) but in the scenario I posit, the phone becomes much the same as the desktop PC aside from being rather more portable, and security issues should be much the same, for much the same reasons. Except I'd get to have a phone that ISNT full of junk I have no interest in, and others would be able to customise the sftware n their phones to please their needs/wants too.

    But then I'm thinking of mobile phones as useful devices that a user chooses to buy and use as they wish, rather than a deliberately disposable method of parting consumers from their money for the benefit of company directors and shareholders somewhere. Silly me...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like